News

NSA Extends Access Control to Network Storage

The National Security Agency is leading an effort to extend its access control work into the arena of network file storage. The effort involves integrating NSA's Flask mandatory access control (MAC) architecture -- now the basis of Security-Enhanced Linux (SELinux) -- into the Network File System (NFS) protocol widely used for network-attached storage devices.

David Quigley of NSA's National Information Assurance Research Laboratory presented the latest work on the project, called Labeled NFS, at the 71st meeting of the Internet Engineering Task Force this week in Philadelphia. IETF currently oversees the NFS protocol.

NSA initiated and led the effort to develop SELinux, an implementation of NSA's Flask MAC architecture for Linux. With MAC, programs and users are assigned attributes such as security levels. Whenever a program spawns a process thread or calls a file, the attributes are checked against the organization's authorization rules.

By deploying MAC, organizations can ensure that machine intruders don't hijack programs to execute malicious tasks, and they can prevent employees from accessing documents they don't have permission to view.

Labeled NFS extends those features across the network. By having NFS handle MAC labels, someone using a trusted computer can read and write files and execute programs that reside on NFS-based network storage. Today, the Flask architecture requires that all programs and files be stored locally.

Labeled NFS can work in smart mode, which allows the file server to make access control decisions, or dumb mode, which means it takes instructions from the client machine.

James Morris, principal software engineer at Red Hat, published the first recommendation for this approach, originally called Security Enhanced NFS, last summer. The company incorporates SELinux into its Red Hat Enterprise Linux operating system.

In addition to SELinux, Labeled NFS could also support Solaris Trusted Extensions, TrustedBSD and Security Enhanced Darwin, a MAC-enhanced version of the Apple operating system.

About the Author

Joab Jackson is the chief technology editor of Government Computing News (GCN.com).

comments powered by Disqus

Featured

  • Hands On: New VS Code Insiders Build Creates Web Page from Image in Seconds

    New Vision support with GitHub Copilot in the latest Visual Studio Code Insiders build takes a user-supplied mockup image and creates a web page from it in seconds, handling all the HTML and CSS.

  • Naive Bayes Regression Using C#

    Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the naive Bayes regression technique, where the goal is to predict a single numeric value. Compared to other machine learning regression techniques, naive Bayes regression is usually less accurate, but is simple, easy to implement and customize, works on both large and small datasets, is highly interpretable, and doesn't require tuning any hyperparameters.

  • VS Code Copilot Previews New GPT-4o AI Code Completion Model

    The 4o upgrade includes additional training on more than 275,000 high-quality public repositories in over 30 popular programming languages, said Microsoft-owned GitHub, which created the original "AI pair programmer" years ago.

  • Microsoft's Rust Embrace Continues with Azure SDK Beta

    "Rust's strong type system and ownership model help prevent common programming errors such as null pointer dereferencing and buffer overflows, leading to more secure and stable code."

  • Xcode IDE from Microsoft Archrival Apple Gets Copilot AI

    Just after expanding the reach of its Copilot AI coding assistant to the open-source Eclipse IDE, Microsoft showcased how it's going even further, providing details about a preview version for the Xcode IDE from archrival Apple.

Most   Popular

Subscribe on YouTube

Upcoming Training Events

0 AM